(2016-05-28, 01:28 PM)TheGarfield Wrote: [ -> ] (2016-05-27, 10:00 AM)Euan T Wrote: [ -> ]MyBB is written in PHP though, and will not be rewritten in Node.js due to it not being supported on the majority of shared hosts that most of our users use (and also due to the fact that most of our team are far more familiar with PHP).
I don't think that KieronWiltshire was asking the team to rewrite the whole project in Javascript, he was rather giving you an example (that happens to be written in Javascript) just to get what he means.
And it's actually pretty neat.
MyBB 1.0 for instance has a scalable permission system through groups and permissions, each permission is stored inside a SQL column (the usergroups table for example has as many columns as there are permissions in MyBB, and that's not very scalable, even though it's very convenient).
His suggestion was to make something like :
Imagine I am the author of MyAlerts (poke @Euan T) and I want to create a supertype of administrators that can manage MyAlerts plugin, I will declare a new Role :
// declaring new role
use MyBB\Core\Roles\Role;
$role = new Role("myalertsadmin");
$role->setName("My Alert's Admin");
$role->setDescription("This group can manage MyAlerts");
I will create a "Node", or a part of my app that I want to protect, since I'm protecting MyAlerts' admin area :
use MyBB\Core\Node;
$node = new Node("admin.dashboard.myalerts");
$node->setName("MyAlert's Dashboard");
$node->setDescription("This is the dashboard of MyAlerts");
What roles can access that node?
// my newly created role "myalertsadmin" can actually access the MyAlert's Dashboard
$node->give($role);
Of course I have to give the role to the desired users :
$role->give($user);
Lastly, protect my MyAlerts' Dashboard against those who don't have any role that gives them access to admin.dashboard.myalerts :
if ($currentUser->isPermitted("admin.dashboard.myalerts")) {
// go on
} else {
// stop there, you don't have the role
}
With that, you can use wildcards in permission check :
if ($user->isPermitted("admin.dashboard.*")) {
// this $user has atleast one role that gives him access to admin.dashboard.something
}
The options are endless, and it's actually easy 
More examples in :
https://www.npmjs.com/package/ezpermissions
I'm glad you like my permission system! haha
But, you what I should stress is that you should NEVER check against wildcards.
The goal was that each action requires it's own permission, for example:
To post a thread: mybb.thread.post
To post a reply: mybb.thread.reply
An admin would contain the wildcard: mybb.*
So now, when the checks against "mybb.thread.post" or "mybb.thread.reply" are made, the admin has the sub-permissions.
Yeah something like this would be great, and it's pretty scalable, even from a plugin's perspective.
In regards to using JWTs, if you plan on exposing some of the requests through an api, then JWT would be the way forward imo, a simple "login" request could be made, where a JWT is returned, and then used to continue making requests on the user's behalf.
The reason I ask for JWT's to be used, is because JWT is stateless and can technically be used cross-platform. I plan on creating another website (in nodejs) that uses mybb's authentication mech. Life would be much simpler if JWTs were supported
